BlackSuit Ransomware Group Targets IBEW Local 1 in St. Louis

Overview of the Attack

On June 26, 2024, the BlackSuit ransomware group claimed responsibility for a cyberattack on the International Brotherhood of Electrical Workers (IBEW) Local 1, a prominent labor union based in St. Louis, Missouri. The attack was publicized via the group's dark web leak site, raising significant concerns about the security of the union's sensitive information. The exact size of the data leak remains unknown, but the implications for the union and its members are potentially severe.

About IBEW Local 1

IBEW Local 1 is the first local chapter of the International Brotherhood of Electrical Workers, established on November 21, 1891. The organization represents over 5,000 active members and 900 retirees in the electrical industry across St. Louis and 25 surrounding Missouri counties. The union is known for its storied history, including illuminating the 1904 World's Fair in St. Louis with the first electric lights ever seen at a world's fair.

IBEW Local 1 provides a range of services to its members, including negotiating collective bargaining agreements, offering legal representation, and operating apprenticeship programs. The union's training center, considered one of the most high-tech construction crafts training centers in the nation, underscores its commitment to producing highly skilled electricians.

Vulnerabilities and Targeting

As a labor union, IBEW Local 1 handles a significant amount of sensitive information, including personal data of its members, collective bargaining agreements, and legal documents. This makes the organization a lucrative target for ransomware groups like BlackSuit. The union's extensive use of digital systems for training, member services, and administrative functions may have presented multiple entry points for cybercriminals.

Details of the Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and is closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note includes a reference to a Tor chat site for victims to contact the operators.

Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit may be a new variant developed by the same authors, a copycat, or an affiliate of the Royal ransomware gang. The high degree of similarity in code and functionality indicates a shared origin or inspiration.

Potential Penetration Methods

While the exact method of penetration in the IBEW Local 1 attack is not yet known, ransomware groups like BlackSuit typically exploit vulnerabilities in software, use phishing attacks, or leverage weak security protocols to gain access to systems. Given the union's extensive digital infrastructure, any unpatched software, weak passwords, or lack of multi-factor authentication could have been potential entry points for the attackers.

Sources

• IBEW Local 1 Official Website
• Security Affairs: BlackSuit Similar to Royal Ransomware
• Bleeping Computer: The Week in Ransomware